The recent cyber attack on researchers has taken a concerning turn, as it has been revealed that the threat actors are not only using zero-day exploits but also planting a standalone Windows tool to download critical program metadata from various symbol servers.
According to reports, the attack began when the threat actors established a connection with the targeted researcher. They then proceeded to send a malicious file, which contained at least one zero-day exploit in an undisclosed software package. Google, who reported the attack, refrained from naming the software package in their notification.
Once the zero-day exploit successfully infiltrates the system, the shellcode implemented by the threat actors performs a series of anti-virtual machine checks. This allows them to collect information and capture screenshots from the victim’s device, which is then sent back to an attacker-controlled C2 domain.
However, the attack doesn’t stop at zero-day exploits. The threat actors have also developed a standalone Windows tool, which they use to download debugging symbols and critical program metadata from symbol servers belonging to Microsoft, Google, Mozilla, and Citrix. Symbol servers provide additional information about a binary, which proves useful when debugging software issues or conducting vulnerability research.
At first glance, the tool appears to be a useful utility for quickly and easily downloading symbol information from various sources. The source code for this tool was first published on GitHub on September 30, 2022, and has since received several updates. This tool, developed and distributed by the threat actors, acts as a disguise for their malicious activities.
The concerning part is that the tool not only downloads debugging symbols but also has the capability to download and execute arbitrary code from an attacker-controlled domain. This grants the threat actors even more control over the victim’s system, potentially leading to further compromise and infiltration.
The motive behind this attack is still unclear, as is the identity of the threat actors. However, the scale of the attack and the sophistication of their methods suggest that this is a highly organized and well-funded group. Additionally, the fact that they are targeting researchers indicates an interest in intellectual property theft or gaining unauthorized access to sensitive information.
The cyber security community and law enforcement agencies are working diligently to investigate this attack and identify the threat actors behind it. It is crucial for organizations and individuals to remain vigilant and employ strong security measures to mitigate the risk of falling victim to such attacks.
In conclusion, the recent cyber attack that targeted researchers has taken a worrisome turn with the discovery of a secondary infection vector. The threat actors not only used zero-day exploits but also developed a standalone Windows tool to download critical program metadata from symbol servers. This multifaceted attack highlights the sophisticated and evolving nature of cyber threats, underscoring the importance of continual vigilance and robust security measures.